Top 10 Php/Mysql code security Tips

In this post we are going to see about how to form php and mysql coding securely .It is a list of  top mistakes we make while coding.Precautions to be taken while coding .Here are the samples

1. Do not trust user input

If you are expecting an integer call intval() (or use cast) or if you don’t expect a username to have a dash (-) in it,
check it with strstr() and prompt the user that this username is not valid.

Here is an example:

PHP Code:

$post_id = intval($_GET[‘post_id’]);
mysql_query(“SELECT * FROM post WHERE id = $post_id”);

Now $post_id will be an integer for sure

2. Validate user input on the server side

If you are validating user input with JavaScript, be sure to do it on the server side too, because for bypassing your
JavaScript validation a user just needs to turn their JavaScript off.
JavaScript validation is only good to reduce the server load.


3. Do not use user input directly in your SQL queries

Use mysql_real_escape_string() to escape the user input.
PHP.net recommends this function: (well a little different)

PHP Code:

function escape($values) {
if(is_array($values)) {
$values = array_map(array(&$this, ‘escape’), $values);
} else {
/* Quote if not integer */
if ( !is_numeric($values) || $values{0} == ‘0’ ) {
$values = “‘” .mysql_real_escape_string($

values) . “‘”;
}
}
return $values;
}

Then you can use it like this:

PHP Code:

$username = escape($_POST[‘username’]);
mysql_query(“SELECT * FROM user WHERE username = $username”); /* escape() will also adds quotes to strings automatically */


4. In your SQL queries don’t put integers in quotes

For example $id is suppose to be an integer:

PHP Code:

$id = “0; DELETE FROM users”;
$id = mysql_real_escape_string($id); // 0; DELETE FROM users – mysql_real_escape_string doesn’t escape ;
mysql_query(“SELECT * FROM users WHERE id=’$id'”);
Note that, using intval() would fix the problem here.

5. When uploading files, validate the file mime type

If you are expecting images, make sure the file you are receiving is an image or it might be a PHP script that can run
on your server and does whatever damage you can imagine.

One quick way is to check the file extension:

PHP Code:
$valid_extensions = array(‘jpg’, ‘gif’, ‘png’); // …

$file_name = basename($_FILES[‘userfile’][‘name’]);
$_file_name = explode(‘.’, $file_name);
$ext = $_file_name[ count($_file_name) – 1 ];

if( !in_array($ext, $valid_extensions) ) {
/* This file is invalid */
}

6. Give your database users just enough permissions

If a database user is never going to drop tables, then when creating that user don’t give it drop table permissions,
normally just SELECT, UPDATE, DELETE, INSERT should be enough.


7. Do not allow hosts other than localhost to connect to your database

If you need to, add only that particular host or IP as necessary but never, ever let everyone connect to your database server.

8. Your library file extensions should be PHP

.inc files will be written to the browser just like text files (unless your server is setup to interpret them as PHP scripts),
users will be able to see your messy code (kidding) and possibly find exploits or see your passwords etc.
Have extensions like config.inc.php or have a .htaccess file in your extension (templates, libs etc.) folders with this one line:

Code:

deny from all

9. Have register globals off or define your variables first

Register globals can be very dangerous, consider this bit of code:

PHP Code:
if( user_logged_in() ) {
$auth = true;
}

if( $auth ) {
/* Do some admin stuff */
}

If you have registered globals on and you can’t turn it off for some reason you can fix these issues by defining your variables first:

PHP Code:
$auth = false;
if( user_logged_in() ) {
$auth = true;
}

if( $auth ) {
/* Do some admin stuff */
}
Defining your variables first is a good programming practice that I suggest you follow anyway.

10. Keep PHP itself up to date

Just take a look at www.php.net and see release announcements and note how many security issues they
fix on every release to understand why this is important.

-Ramesh

Tips for optimizing Php code

You all techies know that PHP is widely  used scripting language ,and it is also easy to code but everything must be done in a proper manner.here are the some useful tips to for optimizing the php code

If a method can be static, declare it static. Speed improvement is by a factor of 4.

** echo is faster than print.

** Use echo’s multiple parameters instead of string concatenation.

** Set the maxvalue for your for-loops before and not in the loop.

** Unset your variables to free memory, especially large arrays.

** Avoid magic like __get, __set, __autoload.

** require_once() is expensive.

** Use full paths in includes and requires, less time spent on resolving the OS paths.

** If you need to find out the time when the script started executing,$_SERVER[’REQUEST_TIME’] is preferred to time().

** See if you can use strncasecmp, strpbrk and stripos instead of regex.

** str_replace is faster than preg_replace, but strtr is faster than str_replace by a factor of 4.

** If the function, such as string replacement function, accepts both arrays and single characters as arguments, and if your argument list is not too long, consider writing a few redundant replacement
statements, passing one character at a time, instead of one line of code that accepts arrays as search and replace arguments.

** It’s better to use switch statements than multi if, else if, statements.

** Error suppression with @ is very slow.

** Turn on apache’s mod_deflate.

** Close your database connections when you’re done with them.

** $row[’id’] is 7 times faster than $row[id].

** Error messages are expensive.

** Do not use functions inside of for loop, such as for ($x=0; $x <count($array); $x) The count() function gets called each time.

** Incrementing a local variable in a method is the fastest. Nearly the same as calling a local variable in a function.

** Incrementing a global variable is 2 times slow than a local var.

** Incrementing an object property (eg. $this->prop++) is 3 times slower than a local variable.

** Incrementing an undefined local variable is 9-10 times slower than a pre-initialized one.

** Just declaring a global variable without using it in a function also slows things down (by about the same amount as incrementing a local var). PHP probably does a check to see if the global exists.

** Method invocation appears to be independent of the number of methods defined in the class because I added 10 more methods to the test class (before and after the test method) with no change in
performance.

** Methods in derived classes run faster than ones defined in the base class.

** A function call with one parameter and an empty function body takes about the same time as doing 7-8 $localvar++ operations. A similar method call is of course about 15 $localvar++ operations.

** Surrounding your string by ‘ instead of ” will make things interpret a little faster since php looks for variables inside “…” but not inside ‘…’. Of course you can only do this when you don’t
need to have variables in the string.

** When echoing strings it’s faster to separate them by comma instead of dot. Note: This only works with echo, which is a function that can take several strings as arguments.

** A PHP script will be served at least 2-10 times slower than a static HTML page by Apache. Try to use more static HTML pages and fewer scripts.

** Your PHP scripts are recompiled every time unless the scripts are cached. Install a PHP caching product to typically increase performance by 25-100% by removing compile times.
** Cache as much as possible. Use memcached – memcached is a high-performance memory object caching system intended to speed up dynamic web applications by alleviating database load. OP code caches are useful so that your script does not have to be compiled on every request.

** When working with strings and you need to check that the string is either of a certain length you’d understandably would want to use the strlen() function. This function is pretty quick since it’s operation
does not perform any calculation but merely return the already known length of a string available in the zval structure (internal C struct used to store variables in PHP). However because strlen() is a
function it is still somewhat slow because the function call requires several operations such as lowercase & hashtable lookup followed by the execution of said function. In some instance you can improve the speed of your code by using an isset() trick.

Ex.
if (strlen($foo) < 5) { echo “Foo is too short”; }
vs.
if (!isset($foo{5})) { echo “Foo is too short”; }

** Calling isset() happens to be faster then strlen() because unlike strlen(), isset() is a language construct and not a function meaning that it’s execution does not require function lookups and lowercase.
This means you have virtually no overhead on top of the actual code that determines the string’s length.

** When incrementing or decrementing the value of the variable $i++ happens to be a slower than ++$i. This is something PHP specific and does not apply to other languages, so don’t go modifying your C or
Java code thinking it’ll suddenly become faster, it won’t. ++$i happens to be faster in PHP because instead of 4 opcodes used for $i++ you only need 3. Post incrementation actually causes in the creation
of a temporary var that is then incremented. While pre-incrementation increases the original value directly. This is one of the optimization that opcode optimized like Zend’s PHP optimizer. It is a still a good idea to keep in mind since not all opcode optimizers perform this optimization and there are plenty of ISPs and servers running without an opcode optimizer.

** Not everything has to be OOP, often it is too much overhead, each method and object call consumes a lot of memory.

** Do not implement every data structure as a class, arrays are useful, too.

** Don’t split methods too much, think, which code you will really re-use.

** You can always split the code of a method later, when needed.

** Make use of the countless predefined functions.
** If you have very time consuming functions in your code, consider writing them as C extensions.

** Profile your code. A profiler shows you, which parts of your code consumes how many time. The Xdebug debugger already contains a profiler. Profiling shows you the bottlenecks in overview.

** mod_gzip which is available as an Apache module compresses your data on the fly and can reduce the data to transfer up to 80%.

– Sankar ganesh

If you have any queries please leave a comment

Hope this will be useful